package integration.rbacapi.api.v1;

import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ResourcesRequest;
import io.confluent.rbacapi.retrofit.v1.V1RbacRestApi;
import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.ldap.client.ExampleComLdapCrudWithMemberOf;
import io.confluent.testing.ldap.client.LdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.io.IOException;
import java.net.ConnectException;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.logging.LogManager;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.kafka.common.resource.PatternType;
import org.awaitility.Awaitility;
import org.junit.Assert;
import org.slf4j.bridge.SLF4JBridgeHandler;
import org.testng.annotations.AfterClass;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
import retrofit2.Response;
import utils.MdsTestUtil;
import utils.ScopeBuilder;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/api/v1/UserGroupTestsCommon.class */
public abstract class UserGroupTestsCommon {
    protected LdapServer ldapServer;
    protected int actualLdapPort;
    protected LdapCrud ldapCrud;
    protected static final String BROKER_USER = "kafka";
    protected static final String USER_ADMIN = "cross_cluster_user_admin";
    protected static final int LDAP_REFRESH_INTERVAL_MS = 10;
    protected static final int LDAP_MAX_PROPAGATION_INTERVAL_MS = 5000;
    private List<String> currentLdapUsers = new LinkedList();
    private List<String> currentLdapGroups = new LinkedList();
    protected RbacClusters rbacCluster;
    protected int actualMdsPort;
    protected V1RbacRestApi userAdminClient;
    protected V1RbacRestApi brokerUserClient;
    protected static MdsScope KAFKA_CLUSTER;
    protected static MdsScope KSQL_CLUSTER;

    /* JADX INFO: Access modifiers changed from: protected */
    public void setupLdap() {
        this.ldapServer = LdapServer.defaultServerNoUsers().start();
        this.actualLdapPort = this.ldapServer.actualPort();
        this.ldapCrud = new ExampleComLdapCrudWithMemberOf(this.actualLdapPort);
        this.ldapCrud.createUser("kafka");
        this.ldapCrud.createUser(USER_ADMIN);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setupClusters(RbacClusters.Config config) throws Exception {
        this.rbacCluster = new RbacClusters(config);
        this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacCluster);
        waitForClusterToBoot();
        this.brokerUserClient = getApiClientForNewUser("kafka");
        this.brokerUserClient.addClusterRoleForPrincipal("User:cross_cluster_user_admin", "UserAdmin", KAFKA_CLUSTER).execute();
        this.brokerUserClient.addClusterRoleForPrincipal("User:cross_cluster_user_admin", "UserAdmin", KSQL_CLUSTER).execute();
        this.userAdminClient = getApiClientForNewUser(USER_ADMIN);
    }

    @AfterClass
    public void tearDown() {
        this.ldapServer.stop();
        this.rbacCluster.shutdown();
        MdsTestUtil.releasePort(this.actualMdsPort);
    }

    @BeforeMethod
    public void setup() throws Exception {
        cleanupUsersGroups();
    }

    @AfterMethod
    public void cleanup() throws Exception {
        cleanupUsersGroups();
    }

    @Test
    public void accessCheck_nonAdminUserShouldNotSeeAnything() throws Exception {
        V1RbacRestApi apiClientForNewUser = getApiClientForNewUser(createUser());
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KAFKA_CLUSTER, false);
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KSQL_CLUSTER, false);
    }

    @Test
    public void accessCheck_anyClusterAdminShouldSeeSomethingForCorrectScope() throws Exception {
        String createUser = createUser();
        V1RbacRestApi apiClientForNewUser = getApiClientForNewUser(createUser);
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KAFKA_CLUSTER, false);
        assignClusterRoleToUser(KAFKA_CLUSTER, createUser, "UserAdmin");
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KAFKA_CLUSTER, true);
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KSQL_CLUSTER, false);
    }

    @Test
    public void accessCheck_anyResourceOwnerShouldSeeSomethingForCorrectScope() throws Exception {
        String createUser = createUser();
        V1RbacRestApi apiClientForNewUser = getApiClientForNewUser(createUser);
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KAFKA_CLUSTER, false);
        assignResourceRoleToUser(KAFKA_CLUSTER, createUser, "ResourceOwner", Collections.singletonList(new ResourcePattern("Topic", "*", PatternType.LITERAL)));
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KAFKA_CLUSTER, true);
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KSQL_CLUSTER, false);
    }

    @Test
    public void accessCheck_usersInheritAdminPermissionsFromGroups() throws Exception {
        String createUser = createUser();
        V1RbacRestApi apiClientForNewUser = getApiClientForNewUser(createUser);
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KAFKA_CLUSTER, false);
        String createGroup = createGroup();
        addUserToGroup(createUser, createGroup);
        waitAndCheckForUserToAppear(createUser);
        waitAndCheckForGroupToAppear(createGroup);
        assignClusterRoleToGroup(KAFKA_CLUSTER, createGroup, "UserAdmin");
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KAFKA_CLUSTER, true);
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser, KSQL_CLUSTER, false);
        String createUser2 = createUser();
        V1RbacRestApi apiClientForNewUser2 = getApiClientForNewUser(createUser2);
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser2, KAFKA_CLUSTER, false);
        String createGroup2 = createGroup();
        addUserToGroup(createUser2, createGroup2);
        waitAndCheckForUserToAppear(createUser2);
        waitAndCheckForGroupToAppear(createGroup2);
        assignResourceRoleToGroup(KAFKA_CLUSTER, createGroup2, "ResourceOwner", Collections.singletonList(new ResourcePattern("Topic", "*", PatternType.LITERAL)));
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser2, KAFKA_CLUSTER, true);
        accessCheckIfClientCanActAsAdminOnScope(apiClientForNewUser2, KSQL_CLUSTER, false);
    }

    @Test
    public void commonContentCheck_shouldSeeCorrectUserGroupList() throws Exception {
        String createGroup = createGroup();
        addUserToGroup("kafka", createGroup);
        addUserToGroup(USER_ADMIN, createGroup);
        waitAndCheckForMdsDataToMatchLocalData();
        String createUser = createUser();
        String createUser2 = createUser();
        String createGroup2 = createGroup();
        addUserToGroup(createUser, createGroup2);
        addUserToGroup(createUser2, createGroup2);
        waitAndCheckForMdsDataToMatchLocalData();
        deleteUser(createUser);
        deleteUser(createUser2);
        deleteGroup(createGroup2);
        waitAndCheckForMdsDataToMatchLocalData();
    }

    @Test
    public void commonContentCheck_shouldGetDeterministicSortedOutput() throws Exception {
        String createGroup = createGroup();
        addUserToGroup("kafka", createGroup);
        addUserToGroup(USER_ADMIN, createGroup);
        for (int i = 0; i < LDAP_REFRESH_INTERVAL_MS; i++) {
            addUserToGroup(createUser(), createGroup());
        }
        waitAndCheckForMdsDataToMatchLocalData();
        Assert.assertEquals(getUserListReturnedByMds(), getUserListReturnedByMds());
        Assert.assertEquals(getGroupListReturnedByMds(), getGroupListReturnedByMds());
        Assert.assertEquals(getUserAndGroupReturnedByMds(), getUserAndGroupReturnedByMds());
        Assert.assertEquals((List) getUserListReturnedByMds().stream().sorted().collect(Collectors.toList()), getUserListReturnedByMds());
        Assert.assertEquals((List) getGroupListReturnedByMds().stream().sorted().collect(Collectors.toList()), getGroupListReturnedByMds());
        Assert.assertEquals((List) getUserAndGroupReturnedByMds().stream().sorted().collect(Collectors.toList()), getUserAndGroupReturnedByMds());
    }

    protected static void assertEqualsWithAwait(Object obj, Object obj2) {
        Awaitility.await().atMost(2L, TimeUnit.SECONDS).untilAsserted(() -> {
            Assert.assertEquals(obj, obj2);
        });
    }

    private static void accessCheckIfClientCanActAsAdminOnScope(V1RbacRestApi v1RbacRestApi, MdsScope mdsScope, boolean z) throws IOException {
        int i = z ? 200 : 403;
        int i2 = z ? 400 : 400;
        Assert.assertEquals(i, v1RbacRestApi.getUserGroupList(mdsScope, null).execute().code());
        Assert.assertEquals(i, v1RbacRestApi.getUserGroupList(mdsScope, "user").execute().code());
        Assert.assertEquals(i, v1RbacRestApi.getUserGroupList(mdsScope, "group").execute().code());
        Assert.assertEquals(i2, v1RbacRestApi.getUserGroupList(mdsScope, "NeitherUserNorGroup").execute().code());
    }

    private void waitForClusterToBoot() {
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, "kafka", "kafka");
        Awaitility.given().ignoreException(ConnectException.class).await().atMost(25L, TimeUnit.SECONDS).untilAsserted(() -> {
            Assert.assertEquals("MDS/Kafka didn't start in time.", 200L, build.getRoleNames().execute().code());
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String createUser() {
        String str = "testUser-" + RandomStringUtils.randomAlphabetic(8);
        this.ldapCrud.createUser(str);
        this.currentLdapUsers.add(str);
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void deleteUser(String str) {
        this.ldapCrud.deleteUser(str);
        this.currentLdapUsers.remove(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String createGroup() {
        String str = "testGroup-" + RandomStringUtils.randomAlphabetic(8);
        this.ldapCrud.createGroup(str);
        this.currentLdapGroups.add(str);
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void deleteGroup(String str) {
        this.ldapCrud.deleteGroup(str);
        this.currentLdapGroups.remove(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void addUserToGroup(String str, String str2) {
        this.ldapCrud.addUserToGroup(str, str2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void removeUserFromGroup(String str, String str2) {
        this.ldapCrud.removeUserFromGroup(str, str2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> getExpectedListOfAllUsers() {
        LinkedList linkedList = new LinkedList(this.currentLdapUsers);
        linkedList.add("kafka");
        linkedList.add(USER_ADMIN);
        return (List) linkedList.stream().map(str -> {
            return "User:" + str;
        }).sorted().collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> getExpectedListOfAllGroups() {
        return (List) this.currentLdapGroups.stream().map(str -> {
            return "Group:" + str;
        }).sorted().collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> getUserListReturnedByMds() throws Exception {
        Response execute = this.userAdminClient.getUserGroupList(KAFKA_CLUSTER, "user").execute();
        Assert.assertEquals(200L, execute.code());
        return (List) execute.body();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> getGroupListReturnedByMds() throws Exception {
        Response execute = this.userAdminClient.getUserGroupList(KAFKA_CLUSTER, "group").execute();
        Assert.assertEquals(200L, execute.code());
        return (List) execute.body();
    }

    protected List<String> getUserAndGroupReturnedByMds() throws Exception {
        Response execute = this.userAdminClient.getUserGroupList(KAFKA_CLUSTER, null).execute();
        Assert.assertEquals(200L, execute.code());
        return (List) execute.body();
    }

    private void cleanupUsersGroups() throws Exception {
        if (!this.currentLdapUsers.isEmpty()) {
            String str = this.currentLdapUsers.get(this.currentLdapUsers.size() - 1);
            Iterator<String> it = this.currentLdapUsers.iterator();
            while (it.hasNext()) {
                this.ldapCrud.deleteUser(it.next());
            }
            this.currentLdapUsers = new LinkedList();
            waitAndCheckForUserToDisappear(str);
        }
        if (this.currentLdapGroups.isEmpty()) {
            return;
        }
        String str2 = this.currentLdapGroups.get(this.currentLdapGroups.size() - 1);
        Iterator<String> it2 = this.currentLdapGroups.iterator();
        while (it2.hasNext()) {
            this.ldapCrud.deleteGroup(it2.next());
        }
        this.currentLdapGroups = new LinkedList();
        waitAndCheckForGroupToDisappear(str2);
    }

    private V1RbacRestApi getApiClientForNewUser(String str) {
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str, str);
        Awaitility.given().ignoreException(ConnectException.class).await().atMost(25L, TimeUnit.SECONDS).untilAsserted(() -> {
            Assert.assertEquals("New user didn't propagate to MDS in time.", 200L, build.getRoleNames().execute().code());
        });
        return build;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void waitAndCheckForGroupToAppear(String str) {
        Awaitility.with().pollDelay(10L, TimeUnit.MILLISECONDS).and().pollInterval(10L, TimeUnit.MILLISECONDS).await().atMost(5000L, TimeUnit.MILLISECONDS).untilAsserted(() -> {
            Assert.assertTrue(getGroupListReturnedByMds().contains("Group:" + str));
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void waitAndCheckForUserToAppear(String str) {
        Awaitility.with().pollDelay(10L, TimeUnit.MILLISECONDS).and().pollInterval(10L, TimeUnit.MILLISECONDS).await().atMost(5000L, TimeUnit.MILLISECONDS).untilAsserted(() -> {
            Assert.assertTrue(getUserListReturnedByMds().contains("User:" + str));
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void waitAndCheckForGroupToDisappear(String str) {
        Awaitility.with().pollDelay(10L, TimeUnit.MILLISECONDS).and().pollInterval(10L, TimeUnit.MILLISECONDS).await().atMost(5000L, TimeUnit.MILLISECONDS).untilAsserted(() -> {
            Assert.assertFalse(getGroupListReturnedByMds().contains("Group:" + str));
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void waitAndCheckForUserToDisappear(String str) {
        Awaitility.with().pollDelay(10L, TimeUnit.MILLISECONDS).and().pollInterval(10L, TimeUnit.MILLISECONDS).await().atMost(5000L, TimeUnit.MILLISECONDS).untilAsserted(() -> {
            Assert.assertFalse(getUserListReturnedByMds().contains("User:" + str));
        });
    }

    protected void waitAndCheckForGroupListToBeEmpty() {
        Awaitility.with().pollDelay(10L, TimeUnit.MILLISECONDS).and().pollInterval(10L, TimeUnit.MILLISECONDS).await().atMost(5000L, TimeUnit.MILLISECONDS).untilAsserted(() -> {
            Assert.assertTrue(getGroupListReturnedByMds().isEmpty());
        });
    }

    protected void waitAndCheckForUserListToBeEmpty() {
        Awaitility.with().pollDelay(10L, TimeUnit.MILLISECONDS).and().pollInterval(10L, TimeUnit.MILLISECONDS).await().atMost(5000L, TimeUnit.MILLISECONDS).untilAsserted(() -> {
            Assert.assertTrue(getUserListReturnedByMds().isEmpty());
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void waitAndCheckForMdsGroupsToMatchLocalGroups() {
        Awaitility.with().pollDelay(10L, TimeUnit.MILLISECONDS).and().pollInterval(10L, TimeUnit.MILLISECONDS).await().atMost(5000L, TimeUnit.MILLISECONDS).untilAsserted(() -> {
            Assert.assertEquals(getExpectedListOfAllGroups(), getGroupListReturnedByMds());
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void waitAndCheckForMdsUsersToMatchLocalUsers() {
        Awaitility.with().pollDelay(10L, TimeUnit.MILLISECONDS).and().pollInterval(10L, TimeUnit.MILLISECONDS).await().atMost(5000L, TimeUnit.MILLISECONDS).untilAsserted(() -> {
            Assert.assertEquals(getExpectedListOfAllUsers(), getUserListReturnedByMds());
        });
    }

    protected void waitAndCheckForMdsDataToMatchLocalData() throws Exception {
        waitAndCheckForMdsUsersToMatchLocalUsers();
        waitAndCheckForMdsGroupsToMatchLocalGroups();
        Assert.assertEquals((List) Stream.concat(getExpectedListOfAllGroups().stream(), getExpectedListOfAllUsers().stream()).collect(Collectors.toList()), getUserAndGroupReturnedByMds());
    }

    private void assignClusterRoleToUser(MdsScope mdsScope, String str, String str2) throws IOException {
        Assert.assertEquals(204L, this.userAdminClient.addClusterRoleForPrincipal("User:" + str, str2, mdsScope).execute().code());
    }

    private void assignClusterRoleToGroup(MdsScope mdsScope, String str, String str2) throws IOException {
        Assert.assertEquals(204L, this.userAdminClient.addClusterRoleForPrincipal("Group:" + str, str2, mdsScope).execute().code());
    }

    private void assignResourceRoleToUser(MdsScope mdsScope, String str, String str2, List<ResourcePattern> list) throws IOException {
        Assert.assertEquals(204L, this.userAdminClient.addRoleResourcesForPrincipal("User:" + str, str2, new ResourcesRequest(mdsScope, list)).execute().code());
    }

    private void assignResourceRoleToGroup(MdsScope mdsScope, String str, String str2, List<ResourcePattern> list) throws IOException {
        Assert.assertEquals(204L, this.userAdminClient.addRoleResourcesForPrincipal("Group:" + str, str2, new ResourcesRequest(mdsScope, list)).execute().code());
    }

    static {
        LogManager.getLogManager().reset();
        SLF4JBridgeHandler.install();
        KAFKA_CLUSTER = ScopeBuilder.withKafka("kafka1").build();
        KSQL_CLUSTER = ScopeBuilder.withKafka("kafka1").withKSQL("ksql1").build();
    }
}
